Microsoft warns of new Windows zero-day bug

Gregg Keizer |
Jan. 28, 2011

Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.

In lieu of a patch, Microsoft recommended that users lock down the MHTML protocol handler by running a "Fixit" tool it's made available. The tool automates the process of editing the Windows registry, which if done carelessly could cripple a PC, and lets IE users continue to run MHTML files that include scripting by clicking through a warning.

Microsoft has had to deal with protocol handler vulnerabilities before, notably in 2007 when Microsoft and Mozilla argued over patching responsibility for similar bugs.

Today's confirmation of another Windows vulnerability adds to an already-long list of not-fixed flaws that Microsoft has acknowledged but not yet addressed. According to Microsoft's tally , there are five outstanding vulnerabilities that require its attention.

One of the five was also disclosed by the same Chinese site that revealed the vulnerability discussed Friday. Microsoft first acknowledged the earlier WooYun.org-revealed bug on Dec. 22, several weeks after French security firm Vupen had issued a bare-bones advisory that said all versions of IE were at risk.

Microsoft has admitted that criminals are already exploiting the December IE vulnerability, and earlier this month shipped a first-of-its-kind workaround for the bug.

Today Microsoft said it has seen no similar activity on the MHTML vulnerability.

"We are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely," said Gunn of Friday's flaw.